88 'high-risk' security defects found in Android kernel

88 'high-risk' security defects found in Android kernel

Summary: The high-risk defects in the Android kernel included memory corruption flaws, memory illegal accesses and resource leaks.

SHARE:
TOPICS: Software, Android, Google
56

A security audit of the Android kernel has turned up 88 "high-risk defects" with with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes.

According to Coverity, a source code analysis firm, the high-risk defects included memory corruption flaws, memory illegal accesses and resource leaks.

The analysis was conducted against the Android kernel 2.6.32 (code named “Froyo”).  This kernel is targeted for smartphones based on the Qualcomm MSM7xxx/QSD8x50 chipset, specifically the HTC Droid Incredible. In addition to the standard kernel, this version includes support for wireless, touchscreen, and camera drivers.

Here's the gist of Coverity's findings:follow Ryan Naraine on twitter

  • The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size.
  • The Android kernel has better than industry average defect density (one defect for every 1,000 lines of code); however the report discovered 359 defects that are believed to be in the shipping version of the HTC Droid Incredible. We believe the defects we found are a sample of what could be shipping in many OEMs devices and products that leverage the Android platform.
  • We found 88 high-risk defects in Android: 25% of the Android defects discovered, including memory corruptions, memory illegal accesses, and resource leaks, are considered high-risk with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes. These are traditionally defect types that many of our customers fix and eliminate completely prior to shipping a product.
  • Accountability for Android software integrity is fragmented. The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs that supply components for specific configurations of Android to support different types of devices, and the lines of accountability are quickly blurred. It’s not clear who is ultimately accountable, but it is clear that a new level of visibility is needed to provide the OEMs that incorporate Android in their software supply chain with an objective measurement of Android software integrity.

Topics: Software, Android, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

56 comments
Log in or register to join the discussion
  • RE: 88 'high-risk' security defects found in Android kernel

    Not surprised. Actually these risks were expected when you use linux as your base. And yo wonder why I stay clear of using it.
    Loverock Davidson
    • FLOSS security at work again

      "but... but... but... but... with many eyes reviewing the code our software is more secure than the proprietary one." FLOSS looks like a big fat government with each passing day good at only making beautiful and yet hollow promises just to fool the public.
      LBiege
      • did you even read the article?

        @LBiege from the above post:

        "The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size"

        "The Android kernel has better than industry average defect density"

        Apparently "many eyes" appear to be doing a pretty good job. Let's see how long it takes to get these fixed.

        In other news, Microsoft is a dying consumer brand. Don't take my word for it...
        http://money.cnn.com/2010/10/27/technology/microsoft_pdc/index.htm

        I also have to quote LD himself from his recent post:
        http://www.zdnet.com/blog/security/two-year-old-data-leakage-flaw-still-haunts-internet-explorer/7604
        "Its not a problem if there are no exploits."

        I'm not going to comment on a two+ year old browser flaw. Except maybe they can use many more eyes.
        ~doolittle~
      • Microsoft is a dying breed...

        That's why their browser has the highest marketshare, their OS has the highest marketshare, and they're the industry standard.
        Michael Alan Goff
      • RE: 88 'high-risk' security defects found in Android kernel

        @LBiege Well said below...<br>Has anyone done the same type of analysis on iOS? Os is it impossible because of its "close source" nature? I wonder.
        asg749d@...
      • RE: 88 'high-risk' security defects found in Android kernel

        @LBiege Except someone spotted these bugs and they're being worked on right now. It's a lot better than having to wait for God knows when the OEM spots the bug (if ever).
        snoop0x7b
      • RE: Microsoft is a dying breed...

        @goff256 wrote "That's why their browser has the highest marketshare, their OS has the highest marketshare, and they're the industry standard. "

        Yes I believe they were comparing Android directly to Windows Mobile and gathered these conclusions:

        "The Android kernel used in the HTC Droid Incredible has about half the defects that would be expected for similar software of the same size"

        "The Android kernel has better than industry average defect density"

        They just forgot to mention "when directly compared to Windows Mobile kernel..."
        ~doolittle~
      • All you CrAppleholics and Microcrud Tards are Delirious w/ Joy!

        @LBiege ....until you all find out that both of these companies have put out some of the most ridiculously flawed software on the planet! haha....

        "So, how does Android stack up? Well, according to the report, the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code." quote by Adrian on ZDNet.

        Note: Google Android uses "Clean Room" code development and Andy Rubin has stated that on average Android OS can be considered one of the Cleanest Coding Environments out there!

        Since Ryan Retardo obviously manipulated this story based on their report to go two ways. #1 First way so you morons could feel good about beating up on Android as if there was anything to complain about and #2 the positive REALITY that was in this REPORT, that he intentionally slanted to get page hits!

        If you had the sense enough to actually get the report, you'd see that "better than industry average of defects per lines of code" (as in around 1 per 1,000 lines) is in fact outstanding.

        That's the reality and I'll bet even iOS wouldn't fare any better (most likely far worse). But we'll never know that, will we? Because it's closed source proprietary like Microsoft's. Who originally were putting out some of the dirtiest code on the planet from Quick and Dirty Operating System (QDOS) and PCDOS (MSDOS was better on purpose btw)! CrApple wasn't much better than MS, using college Code Slaves themselves. Instead of Code Warriors to develop their early code!

        btw.... this is one very big reason Open Source is much cleaner than any proprietary code. It's a known fact that proprietary software hides their defects by using Closed Source as an excuse!

        Linux is much cleaner than any other Operating System Code!
        http://lwn.net/Articles/22623/

        http://lwn.net/Articles/115530/

        "(a) Industry Average: "about 15 - 50 errors per 1000 lines of delivered code." He further says this is usually representative of code that has some level of structured programming behind it, but probably includes a mix of coding techniques."

        Quote taken from book "Code Complete" by Steve McConnell
        http://stackoverflow.com/questions/862277/what-is-the-industry-standard-for-bugs-per-1000-lines-of-code

        88potential flaws is a joke in relation to Millions of bits of code. This idiot just took advantage of all you morons ignorance. So take that you Microcrud losers and iCrAppleholics!!! ;)
        i2fun@...
    • RE: 88 'high-risk' security defects found in Android kernel

      @Loverock Davidson
      Expect your using it right now... ZDnet's servers use Linux!
      ZackCDLVI
    • RE: 88 'high-risk' security defects found in Android kernel

      @Loverock Davidson, Always the Linux basher aren't you!
      I'll take my Buggy Linux over your Windows thingy anytime!
      John Biles
  • RE: 88 'high-risk' security defects found in Android kernel

    yeah...cause closed source is better? security via obscurity works so well everyone should use it
    ALISON SMOCK
    • RE: 88 'high-risk' security defects found in Android kernel

      @stebidri - don't deflect. The story is not about closed source software - it's about one of the most widely used OS for smartphones which thus has lots of eyes poring over it ... and yet, these bugs were not identified and fixed prior to shipping.

      Sounds to me like the "many eyes" benefit claim is null and void at this point.
      De-Void
      • RE: 88 'high-risk' security defects found in Android kernel

        @De-Void Or many eyes found the bugs... Although it was done with an automated tool and no one knows what they are yet, so it's tentative at best.
        snoop0x7b
    • Six in one, half a dozen in the other...

      @stebidri <br>Open source has its benefits, but obviously has its flaws as well. Security through obscuirity is still one the most effective methods of security to date. FLOSS is not a bad idea, just a good one poorly implemented, but uncertain whether there is truly a good way to implement this. Military also practices this methodology of obscuring the facts. <br><br>FLOSS = Socialism = Fragmented Support. We learn this in economics. Where the many are responsible for the product, the product is not taken care of as well. Where the owner/creator has a direct benefit the yields are higher, the waste is lesser, and the overal economical contribution is greater... We call this capitalism. This is a fact of life, and I see no reason for it to differ with software or any other resource.
      ryanstrassburg
      • Alright rand paul...

        @ryanstrassburg and Obama wasn't born in the US too right! Love extremism, there should be no government, no co-ops, individualism triumphs over all else, you only benefit from your own hard work right, after all we will in a true meritocracy right?
        jivester
      • RE: 88 'high-risk' security defects found in Android kernel

        @ryanstrassburg

        Where did you study economics? The myth of the tragedy of the commons has in most contexts, including this one, been dismissed.
        tkejlboom
      • Security by obscurity?

        @ryanstrassburg The problem with security by obscurity is that once you lose the obscurity, you lose the security. Even Microsoft themselves no longer follow a pure "security by obscurity" policy where problems were typically swept under the rug (which was pretty much the catalyst that brought the "full disclosure" movement into existence).

        Also, the article itself paints a significantly brighter picture than the topic says: Froyo has fewer bugs than other software of comparable size and function, and the "high-risk" bugs are the kinds of things that generally get dealt with prior to shipping anyway.

        The way to get real security is not by sweeping everything under the rug, but by making it secure in the first place, through rigorous testing and review. One popular way of securing something is what they do with safe deposit boxes--multiple keys, each from a different person, are required to open the door, thus avoiding the "single point of failure" problem.

        As for the "socialism" thing, I assume that you don't use any public roads, take public transit, receive help from any police or fire departments, or consume any FDA-approved products? Socialism is all around you. The very idea of society is socialism. Even capitalism is tempered with socialism to a certain extent--if it weren't, we'd probably be back in the days of robber barons, child labor, and slavery.
        Third of Five
  • Thank you Ryan Naraine

    All software, including the Linux Kernel has bugs, Bugs do not equal a security exploit.
    If a bug on any software or OS can be found before it becomes a Multi Billion dollar business for the wrong reasons, all the better. (A bug is an flaw)

    Hooay!
    daikon
    • RE: 88 'high-risk' security defects found in Android kernel

      @Linux Rocks
      Linoxe is the only one affected :)

      Hooay!
      shellcodes_coder
      • What is Linoxe

        @shellcodes_coder
        You may be scared to say, I am not.
        Linux is the only one affected. That may come to be.

        That is the beauty of Open Source, continuously scrutinized every day by developers and users around the world, as well as firms like Coverity, The result? Flaws are found and fixed.
        Hey there are 291 Open Source projects that Coverity scans code all the time.

        (Hooay!) Sad that you chose to mock a United States Army battle cry, Truly sad.

        Hooay!
        daikon